iMessage Used in Irritating Denial of Service Attacks

Some iOS app developers have reportedly been targeted in a denial of service (DOS ) attack which makes use of some major oversights in Apple's iMessage app. Hopefully, Apple will take notice before the issue becomes more widespread.

Some iOS app developers have reportedly been targeted in a denial of service (DOS) attack which makes use of some major oversights in Apple's iMessage app. Hopefully, Apple will take notice before the issue becomes more widespread.

According to the The Next Web, developers iH8sn0w, Grant Paul, and others have received innumerable messages on their iOS devices that can crash the app, and in some cases lock them out of their messaging systems entirely. This is particularly annoying because Apple's Messages app is used to manage both iMessages, which are sent from Apple's desktop messaging app, and text messages sent from cell phones.

"The iMessage spammer has now completely locked me out of my iOS Messages app, by sending long strings of Unicode chars," Tweeted Grant Paul on Friday. "Definitely a DoS."

Though the motive behind the attacks is unclear, iH8sn0w suggested on Twitter account that another iOS developer might be behind the attacks. The spam messages included references to the Anonymous group, though the connection seems unlikely as the group generally focuses on large social issues.

How it Works The attack takes advantage of several unique aspects in iMessage. First, that there is apparently no limit to how many messages can be sent to the app, or how fast those messages are sent from iMessage. While this might be fine for fast-chatting via instant message, it's allowed attackers to send messages at an alarming rate.

Second, there's no way to block individual users on iMessage. Once someone has your Apple user name, they can continue to send you messages, and there's little victims can do.

In the attacks, the victim's account receives either an enormous number of messages or extremely large messages. In either case, the sheer amount of information makes it difficult to even access the iOS app to clear out the junk being sent to it. In some cases, unusual Unicode characters or emojis can be included to make messages so large and complex that the Messages app crashes.

According to iH8sn0w, the attack appeared to be simple enough that it was being carried out with AppleScript—Apple's basic coding language. iH8sn0w also said in a Tweet that he or she eventually disabled the account in order to stop the flood of messages.

Larger Implications? The good news is that an attacker would need your iMessage account name before mounting a text message assault. It also seems like the attacks can only be run on a person-by-person basis

However, there are basic changes that Apple could implement to prevent the issue. A means to block offending users is a common feature among other chat services and apps, and Apple's decision to exclude it seems blindly optimistic.

Currently, the only recourse available to victims is to limit iMessages alerts from "my contacts only" and then remove offending individuals from your contacts.

Another change would instituting some kind of limit on messages. When we talked with Andrew Conway from Cloudmark about SMS spam, he suggested that doing away with unlimited texting plans would greatly reduce the amount of spam hitting cellphones. Even just a few seconds break for every few hundred messages would give victims a critical window to react.

Personally, this attack reminds me of the old days of AIM, where users could be knocked offline or even banned from the service with a little know-how on an attacker's part. That a relatively new feature from Apple should contain an issue that other companies solved nearly 20 years ago pretty much sums up this entire affair.

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote for the International Digital Times, The International Science Times, and The Mary Sue. He has also been known to write for Geek.com. You can follow him on...
More »